b'          U.S. Department of Energy\n          Office of Inspector General\n          Office of Audit Services\n\n\n\n\nAudit Report\n\nManagement of the Department\'s\nDesktop Computer Software\nEnterprise License Agreements\n\n\n\n\nDOE/IG-0718                             January 2006\n\x0c\x0c\x0c\x0cREPORT ON THE DEPARTMENT\'S DESKTOP COMPUTER\nSOFTWARE ENTERPRISE LICENSING AGREEMENTS\n\n\n\nTABLE OF\nCONTENTS\n\n\n           Software License Management\n\n\n           Details of Finding ........................................................................................1\n\n           Recommendations and Comments ..............................................................6\n\n\n           Appendices\n\n\n           1. Objective, Scope, and Methodology......................................................8\n\n           2. Potential Savings..................................................................................10\n\n           3. Prior Audit Reports ..............................................................................11\n\n           4. Management Comments ......................................................................12\n\x0cSOFTWARE LICENSE MANAGEMENT\n\nSoftware Acquisition   Enterprise license agreements had not been effectively used\nand Management         by the Department of Energy (Department) for managing\n                       the acquisition and maintenance of desktop software across\n                       the complex. Specifically, the Department had not taken\n                       full advantage of existing software agreements and had not\n                       established new agreements for commonly used\n                       applications. In addition, five of the sites we reviewed\n                       acquired and paid annual maintenance fees for software\n                       that was never used. Other sites could not always track and\n                       document the extent to which they used acquired software\n                       licenses.\n                                      Use of Existing Agreements\n\n                       We observed that, in many cases, sites were not taking\n                       advantage of existing enterprise-wide software agreements.\n                       Although the Department established several enterprise\n                       agreements in response to our prior report on its\n                       Commercial Off-The-Shelf Software Acquisition\n                       Framework, a number of sites did not use those\n                       agreements. In particular, 7 of the 16 sites we reviewed\n                       established their own agreements for a common office\n                       automation software suite, which required them to pay as\n                       much as 325 percent more for products than the prices\n                       available by using the existing Department-wide\n                       agreement. For example, Brookhaven National Laboratory\n                       (Brookhaven) paid from $248 to $573 per license for two\n                       separate versions of the same office automation product\n                       even though it was available through a Department-level\n                       agreement at a price of $176.\n\n                       We also noted that eight of the sites we reviewed had\n                       established separate agreements for document imaging\n                       software even though an enterprise-wide agreement\n                       existed. At Sandia National Laboratories (Sandia), we\n                       identified an agreement that required it to pay over 300\n                       percent more ($292 versus $90) for a particular version of a\n                       popular imaging package. Similarly, a contractor at Idaho\n                       National Laboratory had acquired a related imaging\n                       product at $265 per license, versus the $154 per license fee\n                       available from the Department\'s agreement.\n\n                                   Establishment of New Agreements\n\n                       The Department did not take action to negotiate enterprise\n                       agreements for products such as antivirus, security, and\n                       project management software despite the potential for\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                      significant savings and their widespread use across the\n                      complex. Absent action by Headquarters, sites directly\n                      negotiated with software providers to establish local\n                      agreements or simply purchased software through various\n                      retail venues. As might be expected, these purchasing\n                      practices were not consistent with one another and prices\n                      for the same software varied significantly both between and\n                      within the same site. For example, at two of the sites\n                      reviewed, prices ranged from $12 to $70 per license for a\n                      common antivirus product.\n\n                      For the encryption software most commonly used across\n                      the Department, we noted that sites had negotiated 11\n                      separate purchase agreements and that prices specified by\n                      those agreements ranged from $70 to $208 per license. As\n                      noted by the vendor for this encryption product, savings of\n                      about $630,000 per year in maintenance costs alone could\n                      be realized by negotiating a Department-level enterprise\n                      agreement. Such an agreement could also likely match or\n                      exceed the lowest price observed, potentially saving $138\n                      per license. When applied to the existing universe of\n                      desktops in use across the Department, such savings could\n                      be significant.\n\n                                    License Utilization and Tracking\n\n                      Most of the organizations included in our review did not\n                      effectively manage their inventories of software licenses.\n                      Of the nine field sites visited, only two had fully\n                      implemented an effective system to track software licenses\n                      and related usage. While most of these sites had some type\n                      of desktop management system in place, they were not able\n                      to provide accurate information regarding the number of\n                      licenses maintained or the usage of such licenses. For\n                      example, Lawrence Livermore National Laboratory could\n                      only document that about 65 percent of its licenses for\n                      antivirus software were being utilized. In addition, officials\n                      at Los Alamos National Laboratory (Los Alamos)\n                      acknowledged that the site had tracking problems and\n                      estimated that at least $800,000 in cost savings could be\n                      realized by more effectively managing software acquisition\n                      and maintenance. Documentation provided by Sandia also\n                      disclosed that it was difficult, if not impossible, for the site\n                      to know how many licenses existed at the site.\n\n\n\n\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      Problems with tracking acquisition, utilization, and\n                      maintenance of software licenses made it difficult to\n                      control costs and have complicated the effort to negotiate\n                      new enterprise agreements. For example, at five of the\n                      sites reviewed, we found that approximately 38,000\n                      encryption software licenses had been procured, but\n                      37 percent (14,000) of the licenses had never been used.\n                      Some of these sites, including Headquarters, paid\n                      maintenance fees of more than $625,000 on the unused\n                      licenses over a five year period. The lack of a complex-\n                      wide asset management system may also impact the\n                      Department\'s ability to effectively implement plans to\n                      replace an existing enterprise agreement. We learned that\n                      after nearly four months of effort, the Department was\n                      unable to compile data on the number of office automation\n                      products being used across the complex \xe2\x80\x93 information\n                      needed to determine whether enough licenses are\n                      maintained or if new ones must be acquired.\n\n\nAcquisition and       These problems occurred because the Department had not\nSoftware Management   established a complex-wide desktop software acquisition\nApproach              and maintenance strategy. Despite pressure from the\n                      Office of Management and Budget (OMB) and known best\n                      practices of other organizations, the Department had not\n                      developed complex-wide standards for desktop software,\n                      implemented a common method for acquiring such\n                      software, and did not require organizations to actively\n                      manage their inventory of existing licenses.\n\n                                        Coordinated Approach\n\n                      Despite emphasis from the OMB that an uncoordinated\n                      approach to acquiring common software was wasteful and\n                      ineffective, the Department had not established a formal\n                      policy to support coordination of software purchases\n                      among Headquarters and field sites. Although the\n                      Department had established directives and guidance\n                      relevant to managing information technology investments,\n                      such policies did not specifically address a coordinated\n                      approach to software acquisition and maintenance. In\n                      addition to the lack of specific policy, the Department had\n                      not established a central source of information, or\n                      clearinghouse, to allow sites and programs to identify the\n                      best available contracts or agreements.\n\n\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                      Numerous officials we spoke with during our review\n                      emphasized the potential benefits of implementing a central\n                      source of such information. Such a mechanism could have\n                      included information about all Department contracts\n                      available for use by sites, as well as current Government-\n                      wide Acquisition Contracts. The Department of Defense\n                      (Defense) also recognized as a best practice the importance\n                      of communicating the existence and benefits of enterprise\n                      agreements across an organization. Although the best\n                      practices identified by Defense were discussed in our prior\n                      report, the Department had not fully implemented similar\n                      practices.\n\n                                          Software Standards\n\n                      The Department also had not developed complex-wide\n                      standards for desktop software or instituted a common\n                      method for acquiring such software. As we noted in our\n                      recent report on Development and Implementation of the\n                      Department\'s Enterprise Architecture (DOE/IG-0686,\n                      April 2005), the Department had not completely defined\n                      current or future information technology requirements,\n                      including desired application standards. Although the\n                      Department had attempted to implement software standards\n                      through the Extended Common Integrated Technology\n                      Environment initiative, it did not include all Headquarters\n                      programs and had not applied those standards to facility\n                      contractors. Had the Department established software\n                      standards, it could have leveraged its buying power by\n                      establishing enterprise-wide, standards-compliant software\n                      contracts.\n\n                      In addition, Department organizations had not implemented\n                      common methods for acquiring software. Specifically, we\n                      noted a lack of consistency in the processes used to acquire\n                      software at the sites reviewed. While a limited number of\n                      sites, such as Headquarters, implemented a mostly\n                      centralized approach to acquiring software, the acquisition\n                      process at other sites, including Brookhaven and Los\n                      Alamos, was highly decentralized. At Los Alamos, we\n                      found that purchasers could have obtained software through\n                      six different approved methods, many without set or\n                      negotiated pricing. Brookhaven also used similar, less\n                      structured purchasing techniques, and paid at least\n\n\n\n\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      27 different prices for two versions of an office automation\n                      product. Without a centralized acquisition process,\n                      Department organizations are unable to effectively control\n                      prices paid for software or project future software needs.\n\n                                        Inventory Management\n\n                      The Department also had not fully utilized or designed\n                      effective systems to manage its inventory of software\n                      licenses, or to track the usage of existing licenses. As\n                      previously noted, sites visited were not able to provide\n                      accurate information regarding software maintenance and\n                      usage due to the lack of effective systems for tracking such\n                      information. We found that the Department had begun\n                      development of an asset management initiative during our\n                      review. While this positive step should assist the\n                      Department with identifying an inventory of software\n                      installed on desktops, this system is not expected to\n                      compare installed software to the number of licenses\n                      acquired. Unless progress is made in this area, the\n                      Department will continue to have difficulty assessing\n                      software needs and usage trends, ensuring effective\n                      utilization of existing licenses, and ensuring that enough\n                      licenses exist to support software installed on desktops.\n\n\nOpportunities for     The Department has expended over $4 million more than\nSavings               necessary by underutilizing existing software agreements\n                      or purchasing software at higher prices, and acquiring\n                      unneeded licenses. Specifically, the Department could\n                      have saved about $2.1 million at the sites reviewed over the\n                      past five years by effectively utilizing existing software\n                      agreements or establishing new ones where possible. In\n                      addition, another $2 million could have been saved at five\n                      sites by optimizing utilization of the number of licenses\n                      acquired and maintained for encryption software. If\n                      improvements focusing on increasing the effectiveness of\n                      software management are not made, the Department will be\n                      unable to realize savings of at least $3.2 million that could\n                      be achieved by leveraging its purchasing power through\n                      utilization of volume discounts and eliminating\n                      maintenance costs on excess software licenses (see\n                      Appendix 2 for details). With the potential for such\n                      significant cost savings, we believe it is vital that the\n                      Department act to more effectively manage its software\n                      acquisition and maintenance process across the complex.\n\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0cRECOMMENDATIONS      To address the issues identified in this report, we\n                     recommend that the Department\'s Chief Information\n                     Officer, in coordination with the Administrator, National\n                     Nuclear Security Administration and other Lead Program\n                     Secretarial Officers:\n\n                          1. Develop and implement a formal policy for\n                             ensuring that software purchases are coordinated\n                             between Headquarters and field sites, to include\n                             consideration of enterprise license agreements\n                             with vendors, where appropriate, and\n                             establishment of a central source of information to\n                             allow sites and programs to identify the best\n                             available contracts or agreements;\n\n                          2. Develop and implement complex-wide desktop\n                             software standards and consistent processes for\n                             acquiring such software; and,\n\n                          3. Ensure that sites/programs design and implement\n                             asset management systems to effectively track\n                             software license inventories and utilization of\n                             existing licenses.\n\n\nMANAGEMENT           Management concurred with the report\'s findings and\nREACTION             recommendations and indicated that proactive steps had\n                     been taken relative to our recommendations. Specifically,\n                     the Department recently established an initiative to\n                     renegotiate/consolidate software license agreements for a\n                     common office automation suite. The initiative resulted in\n                     recommendations to establish a policy for common\n                     acquisition of products, as well as improving related cyber\n                     security. Management strongly agreed that an enterprise-\n                     wide asset management system must be implemented to\n                     identify an accurate accounting of software used across the\n                     complex. Officials noted that the lack of a complete\n                     inventory was no longer on the critical path of current\n                     enterprise license negotiations, but that such information\n                     was critical for completing a license "true-up."\n\n                     The National Nuclear Security Administration indicated\n                     that it had no comments on the report and would work with\n                     the Office of the Chief Information Officer to resolve\n                     issues identified in the report.\n\n\n\n\n________________________________________________________________\nPage 6                              Recommendations and Comments\n\x0cAUDITOR COMMENTS     Management\'s comments are responsive to our\n                     recommendations. Where appropriate, we made changes to\n                     the body of our report to address management\'s comments.\n                     In particular, we modified our report to reflect the change\n                     in current negotiation strategies that ameliorated the impact\n                     of the lack of complete inventory information on current\n                     enterprise-license negotiations.\n\n                     Management\'s comments are included in their entirety in\n                     Appendix 4.\n\n\n\n\n________________________________________________________________\nPage 7                              Recommendations and Comments\n\x0cAppendix 1\n\nOBJECTIVE             To determine whether the Department was effectively\n                      managing the acquisition and maintenance of desktop\n                      software across the complex.\n\n\nSCOPE                 The audit was performed between October 2004 and\n                      January 2006 at Departmental Headquarters in Washington,\n                      DC, and Germantown, MD; the Lawrence Livermore\n                      National Laboratory, Livermore, CA; the Lawrence\n                      Berkeley National Laboratory, Berkeley, CA; the Oak\n                      Ridge Reservation, Oak Ridge, TN; the Los Alamos\n                      National Laboratory, Los Alamos, NM; and the Sandia\n                      National Laboratories and National Nuclear Security\n                      Administration Service Center, Albuquerque, NM.\n\n                      We also obtained information from the Argonne National\n                      Laboratory, Argonne, IL; the Brookhaven National\n                      Laboratory, Upton, NY; the Fernald Closure Project,\n                      Springdale, OH; the Idaho National Laboratory, Idaho\n                      Falls, ID; the Kansas City Plant, Kansas City, MO; the\n                      National Energy Technology Laboratory, Morgantown,\n                      WV, and Pittsburgh, PA; the Pacific Northwest National\n                      Laboratory, Richland, WA; the Pantex Plant, Amarillo, TX;\n                      the Rocky Flats Environmental Technology Site, Golden,\n                      CO; the Savannah River Site, Aiken, SC; and the Strategic\n                      Petroleum Reserve, New Orleans, LA.\n\n\nMETHODOLOGY           To accomplish our audit objective, we:\n\n                           \xe2\x80\xa2   Reviewed applicable laws and regulations\n                               pertaining to acquisition and maintenance of\n                               software licenses. We also reviewed guidance\n                               issued by the Office of Management and Budget;\n\n                           \xe2\x80\xa2   Reviewed reports issued by the Office of\n                               Inspector General;\n\n                           \xe2\x80\xa2   Reviewed numerous documents related to the\n                               Department\'s management of software acquisition\n                               and maintenance activities;\n\n                           \xe2\x80\xa2   Held discussions with program officials and\n                               personnel from Department of Energy\n                               Headquarters and field sites reviewed, including\n                               representatives from the Offices of the Chief\n\n________________________________________________________________\nPage 8                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                               Information Officer, Environmental Management,\n                               Science, and Fossil Energy, as well as the\n                               National Nuclear Security Administration; and,\n\n                           \xe2\x80\xa2   Reviewed the Government Performance and\n                               Results Act of 1993 and determined if\n                               performance measures had been established for\n                               managing software acquisition and maintenance.\n\n\n                      The audit was conducted in accordance with generally\n                      accepted Government auditing standards for performance\n                      audits and included tests of internal controls and\n                      compliance with laws and regulations to the extent\n                      necessary to satisfy the audit objective. Accordingly, we\n                      assessed internal controls regarding the acquisition and\n                      maintenance of software licenses across the Department.\n                      Because our review was limited, it would not necessarily\n                      have disclosed all internal control deficiencies that may\n                      have existed at the time of our audit. We also assessed\n                      performance measures in accordance with the Government\n                      Performance and Results Act of 1993 regarding acquisition\n                      and maintenance of software. We found that none of the\n                      nine field sites visited had established measures specific to\n                      achieving cost savings associated with software acquisition\n                      or for ensuring effective utilization of existing licenses.\n                      While we did not rely solely on computer-processed data to\n                      satisfy our audit objective, we confirmed the validity of\n                      such data, when appropriate, by reviewing supporting\n                      source documents such as contracts, purchase orders, and\n                      invoices.\n\n                      Management waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 9                             Objective, Scope, and Methodology\n\x0cAppendix 2\n\nPOTENTIAL SAVINGS    In order to determine potential savings relevant to\n                     leveraging the Department\'s purchasing power, we\n                     compared prices paid at Sandia, Brookhaven, and the East\n                     Tennessee Technology Park for certain common software\n                     products to the lowest prices available through other\n                     existing agreements. Based on our calculations, we\n                     determined that those sites could save about $2.3 million\n                     over the next five years.\n\n                     In addition, we calculated the savings that could be realized\n                     from effectively utilizing existing licenses at certain sites.\n                     We multiplied the number of excess licenses identified for\n                     encryption software by the unit maintenance cost. Using\n                     this methodology, we determined that the Department\n                     could save about $937,000 over the next five years by\n                     eliminating maintenance costs from excess licenses of just\n                     this product.\n\n                     The table below details the possible savings the Department\n                     could realize over the next five years.\n\n                                                 Identified Annual          Potential Savings\n                            Product                   Savings                   (5 years)\n                      Enterprise Agreement Utilization\n                        Office\n                        Automation/\n                        Project\n                        Management                              $353,600              $1,768,000\n                        Document\n                        Imaging Software                         101,000                  505,000\n                        Subtotal                                                        2,273,000\n                      Encryption Software Licenses\n                        Excess encryption\n                        license\n                        maintenance                              187,400                   937,000\n                      TOTAL                                                           *$3,210,000\n                     * Reflects only potential savings at a limited number of the sites\n                     reviewed. We were unable to calculate Department-wide savings.\n\n\n\n\n________________________________________________________________\nPage 10                                         Potential Savings\n\x0cAppendix 3\n\n                              PRIOR AUDIT REPORTS\n\n\n\xe2\x80\xa2   Development and Implementation of the Department\'s Enterprise Architecture\n    (DOE/IG-0686, April 2005). The Department of Energy (Department) had not\n    completely defined its current or future requirements, such as desired systems,\n    supporting applications and hardware, and technology standards. Additionally, the\n    lack of common elements in program architectures, such as complete system\n    inventories and planned future information technology (IT) requirements, made it\n    difficult to identify and eliminate duplicative investments. Without improvements,\n    the Department may be unable to implement an effective corporate approach for\n    managing IT investments.\n\n\xe2\x80\xa2   Special Report - Management Challenges at the Department of Energy (DOE/IG-\n    0667, November 2004). The Department continued to experience challenges in a\n    number of important areas including IT management. While the Department\n    continues to improve its IT management, it still had not fully satisfied the\n    requirements of the Clinger-Cohen Act of 1996. Economy and efficiency issues\n    continued to exist in various IT arenas.\n\n\xe2\x80\xa2   Special Report - The Department of Energy\'s Implementation of the Clinger-Cohen\n    Act of 1996 (DOE/IG-0507, June 2001). The Department had not satisfied major\n    requirements of the Clinger-Cohen Act to develop and implement an integrated,\n    enterprise-wide IT architecture and acquire IT related assets in an effective and\n    efficient manner. Despite many years of effort and significant expenditures, the\n    Department had yet to deploy an integrated, enterprise-wide IT architecture. Because\n    of its decentralized approach to IT management, the Department has been unable to\n    constrain duplicative information systems development and effectively deploy\n    corporate-level systems.\n\n\xe2\x80\xa2   Commercial Off-The-Shelf Software Acquisition Framework (DOE/IG-0463,\n    March 2000). Without a framework, the Department had been unable to take\n    advantage of enterprise-wide software contracts that could have resulted in savings of\n    $38 million. Specifically, the Department had not developed and implemented\n    software standards or effectively used enterprise-wide contracts, key components of a\n    commercial off-the-shelf framework. The Department\'s inability to establish a\n    framework was due to its decentralized IT strategy and lack of organizational support.\n\n\n\n\n________________________________________________________________\nPage 11                                        Prior Audit Reports\n\x0cAppendix 4\n\n\n\n\nPage 12      Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\nPage 13                  Management Comments\n\x0c                                                             IG Report No. DOE/IG-0718\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Leon Hutton at (202) 586-5798.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                   http://www.ig.doe.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'